Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings, of claims in the 

application: 

Listing of Claims: 

1. (Currently Amended) A system comprising: 

at least a first input mechanism to receive first multi-factor authentication 
data associated with Z authentication factors of Z types; 

a cryptographic engine to encrypt the first multi-factor authentication data; 

a separated user authentication, non-volatile data store to store the 
encrypted first multi-factor authentication data; and 

a first processing unit to determine whether second authentication data 
received via the at least first input mechanism matches a subset of the first multi- 
factor authentication data, the second authentication data associated with N 
authentication factors of N types where N is less than or equal to Z , a user being 
authenticated if the second authentication data matches the subset of the first 
authentication data . 

2. (Original) The system of claim 1 wherein the first input 
mechanism includes at least one biometric input mechanism. 

3. (Original) The system of claim 1 further including 

a Trusted Platform Module, the cryptographic engine being included in the 
Trusted Platform Module. 
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4. (Original) The system of claim 1 wherein the first processing 
unit is one of a microprocessor, a digital signal processor, and an embedded 
processor. 

5. (Original) The system of claim 4 wherein the first processing 
unit implements a security technology to provide for protected execution. 

6. (Original) The system of claim 4 further including a second 
processing unit separate from the first processing unit. 

7. (Currently Amended) A system comprising: 
a first processor to execute instructions; 

a first non-volatile memory to store instructions to be executed by the 
processor; 

a bus coupled to the processor and the first non-volatile memory to 
communicate information; and 

a user authentication sub-system coupled to the bus, the user 
authentication sub-system including: 

a user authentication input module to receive first user 
authentication data of N types ; 

a second, separated non-volatile memory to store an encrypted 
version of the first user authentication data; and 
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a second user-authentication processor to determine whether 
second user authentication data matches at least a corresponding subset 
of the first user authentication data , the second user authentication data 
including authentication data of Z types, where N is less than Z . 

8. (Original) The system of claim 7 wherein the user authentication 
sub-system further includes 

a cryptographic engine to encrypt the first user authentication data prior to 
storage. 

9. (Currently Amended) The system of claim 8 wherein the 
cryptographic engine is included in a trust e d p l atform modu le Trusted Platform 
Module . 

10. (Original) The system of claim 7 wherein the user authentication 
input module is to receive first authentication data including at least one biometric 
authentication factor. 

11. (Canceled) 

12. (Original) The system of claim 7 wherein the second non- 
volatile memory is physically separated from the first non-volatile memory. 
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1 3. (Original) The system of claim 7 wherein the second non- 
volatile memory is logically separated from the first non-volatile memory. 

14. (Currently Amended) A method comprising: 

receiving first multi-factor authentication data at a user-authentication sub- 
system JheJlj^tjrnuJtjrfe 
authentication data ; 

decrypting second multi-factor authentication stored in a separated non- 
volatile memory , the second multi-factor authentication data including Z types of 
authentication data where N is less than Z ; and 

determining whether the first multi-factor authentication data matches at 
least a corresponding subset of the second multi-factor authentication data. 

15. (Original) The method of claim 14 further comprising: 
granting access to a resource if the first multi-factor authentication data 

matches at least a corresponding subset of the second multi-factor authentication 
data; and 

denying access to the resource if the first multi-factor authentication data 
does not match at least a corresponding subset of the second multi-factor 
authentication data. 

16. (Original) The method of claim 15 further comprising: 
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requesting the first multi-factor authentication data in response to an 
attempt to access the resource. 

17. (Original) The method of claim 14 wherein receiving first multi- 
factor authentication data includes receiving at least one biometric data input 
type. 

1 8. (Original) The method of claim 14 further comprising 
receiving the second multi-factor authentication data; 
encrypting the second multi-factor authentication data; and 

storing the second multi-factor authentication data in the separated, non- 
volatile memory. 

19. (Original) The method of claim 14 wherein 

determining whether the first multi-factor authentication data matches at 
least a corresponding subset of the second multi-factor authentication data 
includes using an authentication processor separate from a main processor. 

20. (Withdrawn) A method comprising: 

generating at a requestor a request to authenticate a user; 
performing a bi-lateral authentication process to bi-laterally authenticate a 
user authentication sub-system and the requestor; and 
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authenticating a user with the user authentication sub-system prior to 
granting access to a resource if the sub-system and the requestor are bi-laterally 
authenticated. 

21 . (Withdrawn) The method of claim 20 wherein performing the bi- 
lateral authentication process includes exchanging data encrypted with 
previously exchanged keys. 

22. (Withdrawn) The method of claim 20 wherein authenticating a user 
with the user authentication sub-system includes authenticating a user with an 
operating system-independent user authentication sub-system. 

23. (Withdrawn) A method comprising: 

in response to receiving a request for user authentication, checking a 
platform configuration register to determine if a platform configuration has 
changed since a previous time the platform configuration register was checked; 
and 

performing a user authentication process with a user authentication sub- 
system only if it is determined that the platform configuration has not changed. 

24. (Withdrawn) The method of claim 23 wherein performing the user 
authentication process with the user authentication sub-system includes 
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receiving first multi-factor authentication data at the user authentication 
sub-system; 

decrypting second multi-factor authentication stored in a separated non- 
volatile memory; and 

determining whether the first multi-factor authentication data matches at 
least a corresponding subset of the second multi-factor authentication data. 

25. (Withdrawn) The method of claim 24 wherein receiving first multi- 
factor authentication data includes receiving at least one biometric data type. 

26. (Withdrawn) The method of claim 24 further comprising 
controlling access to a resource based on whether the first multi-factor 

authentication data matches at least a corresponding subset of the second multi- 
factor authentication data. 

27. (Withdrawn) The method of claim 26 wherein controlling access to 
a resource includes controlling access to at least one of an enterprise resource, 
an application and a computer system. 

28. (Currently Amended) A tangible machine-accessible storage 
medium storing data that, when accessed by a machine, causes the machine to 
perform a method including: 
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requesting an autonomous user authentication sub-system to perform a 
user authentication process; 

requesting a user to provide first multi-factor authentication data including 
N types of authentication data ; and 

determining whether to grant access to a resource based on whether the 
user authentication sub-system determines that the first multi-factor 
authentication data matches at least a corresponding subset of second multi- 
factor authentication data encrypted and stored in a separated non-volatile 
memory of the sub-system , the second multi-factor authentication data including 
Z types of authentication data, where N is less than Z . 

29. (Currently Amended) The tangible machine-accessible 
storage medium of claim 28 wherein requesting the user to provide first multi- 
factor authentication data includes requesting at least one biometric input data 
type. 
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